Exploring the clustering of software vulnerability disclosure notifications across software vendors

This exploratory empirical paper investigates annual time delays between vulnerability disclosure notifications and acknowledgments by means of network analysis. These delays are approached through a potential clustering effect of vulnerabilities across software vendors. The analysis is based on a projection from bipartite vendor-vulnerability structures to one-mode vendor-vendor networks, while the hypothesized clustering effect is approached with a conventional community detection algorithm. According to the results, (a) vulnerabilities cluster across vendors, (b) which also explains a portion of the time delays, although (c) the clustering is not stable annually. The computed network (d) clusters can be also interpreted by reflecting these against common software security attack surfaces. The results can be used to contemplate (e) practical means with which the efficiency of vulnerability disclosure could be improved.

[1]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2014, TSEC.

[2]  Athanasios Kehagias,et al.  Bad communities with high modularity , 2012, The European Physical Journal B.

[3]  Matthieu Latapy,et al.  Basic notions for the analysis of large two-mode networks , 2008, Soc. Networks.

[4]  James R. Knight,et al.  A comprehensive analysis of protein–protein interactions in Saccharomyces cerevisiae , 2000, Nature.

[5]  Rajeev Agrawal,et al.  Analyzing security threats as reported by the United States Computer Emergency Readiness Team (US-CERT) , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[6]  R. Breiger The Duality of Persons and Groups , 1974 .

[7]  L. Freeman Centrality in social networks conceptual clarification , 1978 .

[8]  Charles L. Nunn,et al.  Community structure and the spread of infectious disease in primate social networks , 2012, Evolutionary Ecology.

[9]  Ville Leppänen,et al.  Trading exploits online: A preliminary case study , 2016, 2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS).

[10]  Xingyuan Wang,et al.  Uncovering overlapping community structures by the key bi-community and intimate degree in bipartite networks , 2014 .

[11]  Ville Leppänen,et al.  Software Vulnerability Life Cycles and the Age of Software Products: An Empirical Assertion with Operating System Products , 2016, CAiSE Workshops.

[12]  Ajai S. Gaur,et al.  Methodological Advances in the Analysis of Bipartite Networks , 2013 .

[13]  Ville Leppänen,et al.  The sigmoidal growth of operating system security vulnerabilities: An empirical revisit , 2015, Comput. Secur..

[14]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[15]  M. Newman,et al.  The structure of scientific collaboration networks. , 2000, Proceedings of the National Academy of Sciences of the United States of America.

[16]  Rahul Telang,et al.  Competition and patching of security vulnerabilities: An empirical analysis , 2010, Inf. Econ. Policy.

[17]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[18]  M E J Newman,et al.  Finding and evaluating community structure in networks. , 2003, Physical review. E, Statistical, nonlinear, and soft matter physics.

[19]  Michael D. Ward,et al.  Networks of Nations: The Evolution, Structure, and Impact of International Networks, 1816–2001 . By Zeev Maoz. New York: Cambridge University Press, 2010. 448p. $95.00 cloth, $36.99 paper. , 2012, Perspectives on Politics.

[20]  David Melamed,et al.  Community Structures in Bipartite Networks: A Dual-Projection Approach , 2014, PloS one.

[21]  Orcun Temizkan,et al.  Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis , 2012, J. Manag. Inf. Syst..

[22]  Carlos J. Melián,et al.  The nested assembly of plant–animal mutualistic networks , 2003, Proceedings of the National Academy of Sciences of the United States of America.

[23]  Jean-Charles Delvenne,et al.  Markov Dynamics as a Zooming Lens for Multiscale Community Detection: Non Clique-Like Communities and the Field-of-View Limit , 2011, PloS one.

[24]  Kenneth A. Frank,et al.  Identifying positions from affiliation networks: Preserving the duality of people and events , 2006, Soc. Networks.

[25]  Wanding Zhou,et al.  Convergent evolution of modularity in metabolic networks through different community structures , 2012, BMC Evolutionary Biology.

[26]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[27]  Gábor Csárdi,et al.  The igraph software package for complex network research , 2006 .

[28]  Benoit Baudry,et al.  The Multiple Facets of Software Diversity , 2014, ACM Comput. Surv..

[29]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[30]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2013, TSEC.

[31]  John Shalf,et al.  Solving Einstein's Equations on Supercomputers , 1999, Computer.